Strengthening Cyber Preparedness Following Attack on Change Healthcare

February 21, 2025

Last year’s cyberattack on Change Healthcare has had a significant impact on care delivery, as well as financial consequences for patients, providers, and communities across the U.S., according to a report released this week by the American Hospital Association (AHA).

“The cyberattack on Change Healthcare in February 2024 disrupted health care operations on an unprecedented national scale, endangering patients' access to care, disrupting critical clinical and eligibility operations, and threatening the solvency of the nation's provider network,” the report noted. “It demonstrated that the national consequences of cyberattacks targeting mission-critical third-party providers can be even more devastating than when hospitals or health systems are attacked directly.”

Among key takeaways:

By the numbers:  A March 2024 AHA survey of nearly 1,000 hospitals found:

• 74 percent reported direct patient care impact, including delays in authorizations for medically necessary care.
• 94 percent reported the attack affected them financially.
• 33 percent reported the attack disrupted more than half of their revenue.
• 60 percent reported requiring two weeks to three months to resume normal operations once Change Healthcare’s full functionality was re-established.

Desperate measures:  Many providers were forced to pivot from standard practices—including pulling from reserves or taking out private loans—to pay clinician and care team salaries, acquire necessary medicine and supplies, and pay for critical physical security, dietary and environmental services contract work.

Lessons learned:  Relentless cybercriminals are aiming for maximum impact to elicit greater ransom and increase the odds that victims will pay it. Also, individual hospitals and health systems have been proactive in shoring up their cyber defenses make them harder targets.

Mitigating risk:  Since future attacks seem inevitable, agencies need to take a two-prong approach to mitigating risk. Bolstering cyber defenses at the provider, regional, and systemic levels, while at the same time, optimizing the ability to respond quickly in case of an attack is recommended. The attack on Change Healthcare has shown that an emphasis should be placed on diversification of service providers, as well as developing a robust third-party risk management program.

Quotable:  “The far-reaching, long-lasting impact of the Change Healthcare attack highlights the ongoing challenges cybercrime poses for the health care sector. It reinforces the urgency of bolstering cyber defenses at the provider, regional, and systemic levels while concurrently optimizing the ability to respond quickly in case of attack,” the report noted.

Read the AHA report online.